Description
ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.
Remediation
References
http://gms.cl0udz.com/ONOS_Vul.pdf
https://gerrit.onosproject.org/#/c/18779/
Related Vulnerabilities
CVE-2022-21208 Vulnerability in npm package node-opcua
CVE-2022-35916 Vulnerability in npm package @openzeppelin/contracts-upgradeable
CVE-2019-12043 Vulnerability in maven package org.webjars.npm:remarkable
CVE-2022-27202 Vulnerability in maven package org.jenkins-ci.plugins:extended-choice-parameter